You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by gb...@apache.org on 2023/04/05 06:38:18 UTC
svn commit: r1908981 - in /httpd/httpd/trunk/server: apreq_module_cgi.c apreq_parser.c apreq_parser_header.c apreq_parser_multipart.c apreq_parser_urlencoded.c
Author: gbechis
Date: Wed Apr 5 06:38:18 2023
New Revision: 1908981
URL: http://svn.apache.org/viewvc?rev=1908981&view=rev
Log:
Fix possible NULL pointer dereference casued by apreq_param_make()
The function apreq_param_make() will return NULL on failure. However
NULL check are forgetten before derenference, which could lead to
NULL pointer dereference.
Adding NULL check to all use of apreq_param_make().
Submitted by: Zhou Qingyang <zh...@umn.edu>
Github: closes #303
Modified:
httpd/httpd/trunk/server/apreq_module_cgi.c
httpd/httpd/trunk/server/apreq_parser.c
httpd/httpd/trunk/server/apreq_parser_header.c
httpd/httpd/trunk/server/apreq_parser_multipart.c
httpd/httpd/trunk/server/apreq_parser_urlencoded.c
Modified: httpd/httpd/trunk/server/apreq_module_cgi.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/apreq_module_cgi.c?rev=1908981&r1=1908980&r2=1908981&view=diff
==============================================================================
--- httpd/httpd/trunk/server/apreq_module_cgi.c (original)
+++ httpd/httpd/trunk/server/apreq_module_cgi.c Wed Apr 5 06:38:18 2023
@@ -562,6 +562,8 @@ static apr_status_t cgi_args(apreq_handl
if (val == NULL)
val = "";
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->args);
val = p->v.data;
@@ -642,6 +644,8 @@ static apreq_param_t *cgi_args_get(apreq
if (val == NULL)
return NULL;
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return NULL;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->args);
val = p->v.data;
@@ -678,6 +682,8 @@ static apr_status_t cgi_body(apreq_handl
if (val == NULL)
val = "";
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->body);
val = p->v.data;
@@ -720,6 +726,8 @@ static apreq_param_t *cgi_body_get(apreq
if (val == NULL)
return NULL;
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return NULL;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->body);
val = p->v.data;
Modified: httpd/httpd/trunk/server/apreq_parser.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/apreq_parser.c?rev=1908981&r1=1908980&r2=1908981&view=diff
==============================================================================
--- httpd/httpd/trunk/server/apreq_parser.c (original)
+++ httpd/httpd/trunk/server/apreq_parser.c Wed Apr 5 06:38:18 2023
@@ -228,6 +228,8 @@ APREQ_DECLARE_PARSER(apreq_parse_generic
ctx->status = GEN_INCOMPLETE;
ctx->param = apreq_param_make(pool,
"_dummy_", strlen("_dummy_"), "", 0);
+ if (ctx->param == NULL)
+ return APR_ENOMEM;
ctx->param->upload = apr_brigade_create(pool, parser->bucket_alloc);
ctx->param->info = apr_table_make(pool, APREQ_DEFAULT_NELTS);
}
Modified: httpd/httpd/trunk/server/apreq_parser_header.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/apreq_parser_header.c?rev=1908981&r1=1908980&r2=1908981&view=diff
==============================================================================
--- httpd/httpd/trunk/server/apreq_parser_header.c (original)
+++ httpd/httpd/trunk/server/apreq_parser_header.c Wed Apr 5 06:38:18 2023
@@ -84,6 +84,8 @@ static apr_status_t consume_header_line(
int i, eol = 0;
param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
+ if (param == NULL)
+ return APR_ENOMEM;
*(const apreq_value_t **)&v = ¶m->v;
arr.pool = pool;
Modified: httpd/httpd/trunk/server/apreq_parser_multipart.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/apreq_parser_multipart.c?rev=1908981&r1=1908980&r2=1908981&view=diff
==============================================================================
--- httpd/httpd/trunk/server/apreq_parser_multipart.c (original)
+++ httpd/httpd/trunk/server/apreq_parser_multipart.c Wed Apr 5 06:38:18 2023
@@ -472,6 +472,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipa
param = apreq_param_make(pool, name, nlen,
filename, flen);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
param->upload
@@ -505,6 +507,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipa
nlen = strlen(name);
param = apreq_param_make(pool, name, nlen,
filename, flen);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
param->upload = apr_brigade_create(pool,
@@ -532,6 +536,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipa
flen = 0;
param = apreq_param_make(pool, name, nlen,
filename, flen);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
param->upload = apr_brigade_create(pool,
@@ -569,6 +575,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipa
param = apreq_param_make(pool, ctx->param_name,
strlen(ctx->param_name),
NULL, len);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
Modified: httpd/httpd/trunk/server/apreq_parser_urlencoded.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/apreq_parser_urlencoded.c?rev=1908981&r1=1908980&r2=1908981&view=diff
==============================================================================
--- httpd/httpd/trunk/server/apreq_parser_urlencoded.c (original)
+++ httpd/httpd/trunk/server/apreq_parser_urlencoded.c Wed Apr 5 06:38:18 2023
@@ -64,6 +64,8 @@ static apr_status_t split_urlword(apreq_
return APR_EBADARG;
param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
+ if (param == NULL)
+ return APR_ENOMEM;
*(const apreq_value_t **)&v = ¶m->v;
arr.pool = pool;